I wouldn't trust myself. If this shopping cart is for a client, and is not being written just for fun, I'd download Interchange, an open-source shopping cart script and use that. Security before pride, especially if the code is for someone else.

If this is just for fun, my suggestion is keep the session and the cart apart. Stuffing all the information into one session that's passed back and forth would work, however, for debugging (and future additions) sake, keep them seperate. If you feel the need, you could always integrate them later.